Digital Security Research Group [DSecRG] Advisory [DSECRG-10-205] Internal #DSECRG-00144 Application: SAP BASIS Versions Affected: SAP XRFC 6.40/7.00 may be others Vendor URL: http://SAP.com Bug: Stack Overflow Exploits: YES (DoS PoC) Reported: 29.03.2010 Vendor response: 29.03.2010 Solution: YES Date of Public Advisory: 09.11.2010 Authors: Alexey Sintsov of Digital Security Research Group [DSecRG] Description *********** It is possible to make stack overflow condition via RFC SOAP request. In common case disp+work.exe (for windows version) will be restarted. If here will be regular SOAP requests than it's DoS. May be it's code execution possible. Details ******* Error present in XML parser, when it try to process tags from RFC SOAP request. Big count of inserted tag in tag causes a Stack Overflow condition. User must be authenticated for this attack, but it's some default accounts: EARLYWATCH, SAPCPIC, TMSADM, that can get access to SOAP interface. Example ******* http://dsecrg.com/pages/vul/show.php?id=205 References ********** http://dsecrg.com/pages/vul/show.php?id=205 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1469549 Fix Information *************** Solution for this issue given in security note 1469549 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group focuses on enterprise application (ERP) and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot]com http://www.dsecrg.com http://www.erpscan.com